Legend:

Now the UI says "this site", which is, to my ear, synonymous with "first party domain". But now on other sites, any third-party object from www.google.com" (such as a Google Analytics script or a Google+ button) can know our location. And, further, it can expose a function call that any other script on the same page could call to obtain our location. So in practice, we have given permission for numerous domains to obtain our location. And the very existence of the unusual permission setting, or any other, helps to track us.

9

Now the UI says "this site", which is, to my ear, synonymous with "first party domain". But now on other sites, any third-party iframe from www.google.com (such as created by a Google Analytics script or a Google+ button) can know our location. And, further, it can expose a function call (using iframe postMessage tricks) that any other script on the same page could call to obtain our location. So in practice, we have given permission for numerous domains to obtain our location. And the very existence of the unusual permission setting, or any other, helps to track us.

10

10

11

11

So I would like to propose that we key every permission by first-party domain instead of origin domain. That means that the Permissions UI doesn't need to change much at all. We are still assigning each permission to a single domain. But this way, granting a permission to google.com would not leak to every other site.